Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Have a challenge with a backup bucket containing the secret #982

Open
3 tasks
commjoen opened this issue Sep 9, 2023 · 12 comments
Open
3 tasks

Have a challenge with a backup bucket containing the secret #982

commjoen opened this issue Sep 9, 2023 · 12 comments
Labels
help wanted Extra attention is needed New Challenge Adding a new Challenge

Comments

@commjoen
Copy link
Collaborator

commjoen commented Sep 9, 2023

Context

  • What should the challenge scenario be like?
    Have a backup s3/storage bucket with a private ed25519 key publicly exposed
  • What should the participant learn from completing the challenge?
    Secure your backup at all cost
  • For what category would the challenge be? (e.g. Docker, K8s, binary)
    Docker/cloud depending on how we implement the backup solution

Actions:

  • create separate Terraform folder to have an S3 bucket (in our AWS folder) under the name "backupchallenge"
  • have the key copying logic in a shell script using AWS CLI as part of the backupchallenge folder
  • implement the challenge according to contributing.md and make sure you hide the key in your classfile.
@commjoen commjoen added the New Challenge Adding a new Challenge label Sep 9, 2023
@commjoen commjoen changed the title Backup keys van backup service Have a challenge with a backup bucket containing the secret Sep 9, 2023
@commjoen commjoen added help wanted Extra attention is needed hacktoberfest labels Sep 29, 2023
@PalaniappanC
Copy link

PalaniappanC commented Sep 30, 2023

Hi @commjoen I would like to work on this challenge can you assign this to my name

@commjoen
Copy link
Collaborator Author

Thank you for volunteering @PalaniappanC ! I have assigned the issue to you.

@PalaniappanC
Copy link

Hi @commjoen I have setup the project and started with implementing the basic challenge as per the contributing.md file. I have doubts around the terraform and s3 bucket part.

I have created a seperate terraform folder under the AWS folder. I have performed the terraform initialisation to have an s3 bucket called backupchallenge.

I have doubts in the remaining two tasks. Can you explain them in a little detailed manner

@commjoen
Copy link
Collaborator Author

commjoen commented Oct 6, 2023

So the idea is that the secret itself is kept in a file. The file should be:

The challenge then needs to be loaded with the location of the secret (E.g. either in test resources or in a hidden location within the docker container, similar to other file-based challenges. Please have a look at https://github.com/OWASP/wrongsecrets/blob/master/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge12.java on how to load this from a pre-set path.

@PalaniappanC
Copy link

Hi @commjoen

We should have the copy logic in this docker right?
https://github.com/OWASP/wrongsecrets/blob/master/Dockerfile

@commjoen
Copy link
Collaborator Author

commjoen commented Oct 8, 2023

Yes sir :-)

@commjoen
Copy link
Collaborator Author

Feel free to draft a PR or contact us on Slack if you need anything :).

@PalaniappanC
Copy link

Hi @commjoen Have got stuck up with regular routine this week. Will draft a PR this weekend.

@PalaniappanC
Copy link

Hi @commjoen we should have the logic to create secret file in docker-create.sh and we should have the file copy logic in Dockerfile right

@commjoen
Copy link
Collaborator Author

Hi @commjoen we should have the logic to create secret file in docker-create.sh and we should have the file copy logic in Dockerfile right

Yes :-)

@commjoen
Copy link
Collaborator Author

commjoen commented Feb 11, 2024

Hi @PalaniappanC ! How are you doing? Do you have any updates on this good sir :) ?

@PalaniappanC
Copy link

PalaniappanC commented Feb 12, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
help wanted Extra attention is needed New Challenge Adding a new Challenge
Projects
Status: To do
Development

No branches or pull requests

2 participants